-4

I need to write a page which does not allow the user to see the code. To catch the context menu open I want to use the JS event. To catch web-console open I want to use this: https://sindresorhus.com/devtools-detect/ and close the page. How to catch saving? Is it enough to catch Ctrl+S?

Suraj Rao
  • 29,388
  • 11
  • 94
  • 103
lith.al
  • 93
  • 3
  • 1
    _"I need to write a page which does not allow the user to see the code."_ That's not possible. I can download and analyze your code with wget, curl or Postman. – jabaa Nov 04 '21 at 16:15
  • Even if y ou can catch these, someone who wants to get the code can simply use `curl` or `wget` from the command line. Or they can use a packet capture tool while the browser is accessing the page. – Barmar Nov 04 '21 at 16:16
  • It is somewhat possible if you write css within the headers, but it's wacky and very very limited. – mstephen19 Nov 04 '21 at 16:16
  • https://sindresorhus.com/devtools-detect/ doesn't work for floating Dev Tools. Open Dev Tools, open the menu in the top right corner and select floating window. – jabaa Nov 04 '21 at 16:18
  • @lith.al Please fix your question title, it doesn't seem like you're asking about how to detect `ctrl+s` – Ruan Mendes Nov 04 '21 at 16:31
  • @jabaa Nope. It is a part of some project. It is a password for seeing page. – lith.al Nov 04 '21 at 16:39
  • I don't understand your comment, but it's impossible to hide something in frontend code. You can always open the DevTools. You can't detect open DevTools. You can download the code. There are no secrets in frontend code. – jabaa Nov 04 '21 at 16:44
  • @jabaa js will close page when user open DevTools – lith.al Nov 04 '21 at 16:46
  • I can open a website with open DevTools in a floating window. The website won't detect it. – jabaa Nov 04 '21 at 16:46
  • https://sindresorhus.com/devtools-detect/ -- this detect – lith.al Nov 04 '21 at 16:48
  • No, I tried it. I opened my DevTools in floating window mode and https://sindresorhus.com/devtools-detect/ didn't detect it. I made you a screenshot for the case you don't believe me: https://imgur.com/TGfamiD.png – jabaa Nov 04 '21 at 16:55
  • @lith.al Detecting that DevTools is open buys you nothing (and it doesn't work when DevTools is in a separate window as already mentioned. You do not seem to be even reading the advice we're giving you – Ruan Mendes Nov 04 '21 at 16:59
  • The problem with the DevTools in a separate window is a known bug https://github.com/sindresorhus/devtools-detect/issues/39 Every JavaScript beginner can load a website with a breakpoint in the debugger on page load. That way, you can see the whole code before the first line of JavaScript is even evaluated. No JavaScript code can help you if the browser doesn't evaluate JavaScript. Now I can read the code and remove all the "security" functions. That's something even children learn on pseudo-hacking websites. – jabaa Nov 04 '21 at 17:06
  • In Firefox this breakpoint is called `Script First Statement`: https://imgur.com/SW52r0K.png – jabaa Nov 04 '21 at 17:09

2 Answers2

0

No, trapping ctrl + s will only solve the case where the user uses a keyboard shortcut (be sure to remember it's cmd+s for Macs). They will still get the save webpage dialog if they use the File Menu or the context menu's "Save As" action. I have never heard of a way to trap those.

You will never be able to prevent the user from seeing your code, if the browser can download and execute it, the user can see it, whether through curl, a packet sniffer or DevTools.

The best you can do is obfuscate your code, which anyone with enough skills will be able to turn in to non-obfuscated code.

Ruan Mendes
  • 90,375
  • 31
  • 153
  • 217
  • user cant use curl. Here is password – lith.al Nov 04 '21 at 16:43
  • @lith.al If the user can open an URL in a browser, the same user can open the same URL with curl and see the code. – jabaa Nov 04 '21 at 16:48
  • @jabba Nope. User can open URL in browser and see the form for password. After insert password ajax change page. In curl is no way to insert password. – lith.al Nov 04 '21 at 16:54
  • @lith.al The user can sniff the network, and they will know the content of your AJAX request/response and they could call curl on that. Believe me, you're going down a rabbit hole of trying to secure an app on the client side, it's commonly known that this approach does not work if someone is determined to read your code – Ruan Mendes Nov 04 '21 at 16:57
  • @lith.al How are you going to handle scripted browsers like Puppeteer, Selenium or PhantomJS? You can just open the website, enter credentials and store the current code in a file without opening the DevTools. How are you going to handle remote debugging in Chrome and Firefox? I can open a website in one browser and connect through the remote debugging port with another browser. The website doesn't even know about the second browser but the second browser can read the code. That's not advanced hacking. That's absolute basic web debugging. – jabaa Nov 04 '21 at 17:21
-3

We can listen for keydown. If the ctrlKey and S key are being pressed, do the work. The preventDefault is preventing the save page dialog from opening up.

document.addEventListener('keydown', (e) => {
  if (e.ctrlKey && e.key === 's') {
    e.preventDefault();
    console.log('pressing ctrl+s')
  }
});

But preventing a user from seeing your code? That's a different story. We can detect Ctrl+S, but not prevent someone from seeing your code.

mstephen19
  • 1,733
  • 1
  • 5
  • 20
  • I think you missed the point of the question: "How to catch saving? Is it enough to catch Ctrl+S?" I think the OP understand they can trap `ctrl+s` but want to know if they can stop the user from saving a web page. Ultimately, their goal is to hide the code which most of us understand is not possible. – Ruan Mendes Nov 04 '21 at 16:17
  • It's not answering the question, if you remove your code to "teach" the user how to trap `ctrl+s`, I will remove the downvote, but in that case, your answer isn't saying much and I would just delete it. – Ruan Mendes Nov 04 '21 at 16:21